The conclusion, reported in a recently published research paper from security firm McAfee, is surprising. Most groups behind network-based espionage campaigns take pains to remain hidden to ensure their advanced persistent threat (APT) is able to siphon as much sensitive data as possible. The "Dark Seoul" attack, by contrast, has attracted huge amounts of attention because of its coordinated detonation. It struck government and media networks in South Korea precisely at 2pm local time on March 20, affecting both Internet and mobile banking applications, while taking automatic teller machines offline. Until now, researchers speculated the unknown group behind the attack was primarily motivated by a goal of causing disruptions.

In fact, Dark Seoul was just one component of "Operation Troy," a long-term spying campaign targeting military organizations that dates back to at least 2009. The covert operation gets its name from references to the ancient city found in malware developed by the attackers. The malware made use of a sophisticated control network to carry information over Web and Internet relay chat connections that were secured with strong encryption. Remote access tools installed on compromised target machines methodically searched for military terms and downloaded only documents that were deemed important. The malware initially took hold after the attackers planted a previously undocumented "zero-day" exploit on a military social networking site. The technique is known as a watering-hole-style attack, because it attempts to plant drive-by exploits into sites frequented by the people the attackers hope to infect (similar to a hunter targeting its prey as it drinks water).

"McAfee Labs can connect the Dark Seoul and other government attacks to a secret, long-term campaign that reveals the true intention of the Dark Seoul adversaries: attempting to spy on and disrupt South Korea’s military and government activities," McAfee researchers Ryan Sherstobitoff, Itai Liba, and James Walte wrote. "The attackers have attempted since 2009 to install the capability to destroy their targets using an MBR wiper component, as seen in the Dark Seoul incident. From our analysis we have established that Operation Troy had a focus from the beginning to gather intelligence on South Korean military targets. We have also linked other high-profile public campaigns conducted over the years against South Korea to Operation Troy, suggesting that a single group is responsible."

Among the tell-tale signs that the two attacks are related is the code used by Dark Seoul to destroy the master boot record (MBR) of infected machines. That capability also resides in the remote access trojan used in Operation Troy campaigns to wipe data from compromised machines that show they're in the process of being disinfected. By permanently disabling the machines, the attackers stand a much higher chance of hiding their campaign from adversaries. The wiping malware used in the two campaigns weren't identical, but the McAfee report said there were enough similarities that the different samples had to be spawned by the same group.

Also significant, the wiper malware used in Dark Seoul was compiled just hours before it was executed on tens of thousands of machines belonging to South Korean government agencies and media outlets. The timing suggests the targeted computers had been infected days, weeks, or even months in advance, since it's unlikely so many computers could be infected and destroyed in such a short period.

The terms Operation Troy malware searched for included "tactics," "brigade," "logistics," and "Operation Key Resolve," according to the BBC. The last phrase refers to a military exercise involving US and South Korean forces that is carried out every year. The report doesn't identify the group responsible for Operation Troy or the specific South Korean government networks that were infected.

It remains unclear why the wiping Dark Seoul malware was unleashed. The compilation data suggests it was done intentionally rather than by accident. The activation of such a destructive payload touched off the McAfee investigation that ultimately led to the new report about Operation Troy. If the group behind the campaign was hoping to cover its tracks, the clamor it set off by destroying tens of thousands of machines in unison may only have brought attention to a spying operation that previously was largely overlooked.

Unfortunately, while the rest of the world standardized on HTTPS, the South Korean government developed a homegrown encryption standard called SEED, which is only available as an ActiveX control for Internet Explorer on Windows.

This has become a huge problem in recent years, as the use of SEED instead of SSL ties South Korean Internet users to Windows, Internet Explorer, and a proprietary encryption technology which is required for accessing financial, e-commerce, and government websites, and which no other country uses.

Unfortunately, while the rest of the world standardized on HTTPS, the South Korean government developed a homegrown encryption standard called SEED, which is only available as an ActiveX control for Internet Explorer on Windows.

This has become a huge problem in recent years, as the use of SEED instead of SSL ties South Korean Internet users to Windows, Internet Explorer, and a proprietary encryption technology which is required for accessing financial, e-commerce, and government websites, and which no other country uses.

They certainly messed up on that one; but that seems like the sort of mistake that(while you get into it by fiat) you could also get out of, by fiat, relatively cheaply. How much could it cost to get NPAPI and PEPPER variants constructed and (say) BSD licensed by your pet contractor? Certainly wouldn't be zero; but it would probably be in the 'less than 10 main battle tanks' range.

When mac gets a lot of users they too will get drive by exploits planted and Safari will eat and die on that.

That's been the mantra since the 90's. Still waiting...

Remember 'jailbreakme'? It was something that the user wanted, and thus not 'malicious'; but it was a 1 step, no touch, drive-by root level attack against Safari and iOS. Boom. Headshot. Game over, man, game over.

Neat little toy like that on some ghastly ad network would have been a bloodbath, had anybody cared.

(Please note, I'm not here to play "But Windows is Worse!!!!". Just to point out that in the context of a motivated adversary, with a targeted interest in hitting an OSX target, there have been options. Windows is certainly where the cash is, for basic economic criminals; but I would hardly trust OSX if somebody were gunning for me...

When mac gets a lot of users they too will get drive by exploits planted and Safari will eat and die on that.

That's been the mantra since the 90's. Still waiting...

Remember 'jailbreakme'? It was something that the user wanted, and thus not 'malicious'; but it was a 1 step, no touch, drive-by root level attack against Safari and iOS. Boom. Headshot. Game over, man, game over.

Neat little toy like that on some ghastly ad network would have been a bloodbath, had anybody cared.

(Please note, I'm not here to play "But Windows is Worse!!!!". Just to point out that in the context of a motivated adversary, with a targeted interest in hitting an OSX target, there have been options. Windows is certainly where the cash is, for basic economic criminals; but I would hardly trust OSX if somebody were gunning for me...

So is this N Korea or China that's perpetrating these attacks? Sounds like it could be N Korea based on the targets, but I don't think they have computers up there or know how to use them. ; )

That sort of underestimation is precisely what NK wants. While the network infrastructure within NK is... lacking, the skilled programmers are out in China to sharpen their skills and make money for the homeland.

Macs are usually one of the first targets to fall in the Pwn2Own competitions. Get a secure BSD or Linux box.

As for the article, why should this surprise anyone. Our governments have been hacking and spying on people all over the world. I think its a matter of fair game.

Ah, OS X IS BSD Unix. (with lipstick).

He said "secure" BSD. An OS is only as secure as the base install set and the meatbag behind the keyboard. Once you get a full desktop install with a bunch of complex listen servers, and a UNIX "admin" who gives you a blank stare when you ask how to open a terminal, it's no longer secure.

Macs are usually one of the first targets to fall in the Pwn2Own competitions. Get a secure BSD or Linux box.

As for the article, why should this surprise anyone. Our governments have been hacking and spying on people all over the world. I think its a matter of fair game.

Ah, OS X IS BSD Unix. (with lipstick).

He said "secure" BSD. An OS is only as secure as the base install set and the meatbag behind the keyboard. Once you get a full desktop install with a bunch of complex listen servers, and a UNIX "admin" who gives you a blank stare when you ask how to open a terminal, it's no longer secure.

Ah, no he didn't. What you stated applies to BSD in general. Don't get religious about this.

No offense or religiousness intended, but isn't the BSD aspect of OS X largely limited to the Mach kernel and a few other fragments from NeXTSTEP, with the rest being Apple's work? That might explain why OS X has been hacked so early on in competitions while BSD is still considered pretty well rock-hard.

The author gathers the opposite inference than I do with regard to the compilation date and the purposeful nature of the wipe.

To me, the compilation of the wiping code just hours before the wipe occurred leads me to believe that it could have been a bug. The compilation date tells us that the final form of the malware was NOT tested, but rather was compiled and deployed immediately. As any software developer here knows, that little change made at the end of development that "has no chance of failing" is guaranteed to cause a problem.

The other possibility is they executed the code to try and cover their tracks and it signals the end of operations. Rather than try to have the malware remove itself, destroy the computers it lives on and then no one knows it was there, right? But a sophisticated malware group (which this points to being a nation state, so we can assume so) would know that this would not hold up under scrutiny.

I would propose that the compilation date signifies that it was an accident, not purposeful, particularly when you consider that it happened precisely at 2pm. If it was a by-hand order, the command would take time to propogate (yes, I'm making presumptions about the command structure of the malware, but what else can I do?), where as an exact hour mark indicates that it was in-code. 2pm corresponds with 0:00 AM on the east coast of the USA (ignoring DST), which seems remarkably coincidental, though if that was a clue, one would wonder why they would have to spy on their own operation.

I never said it didn't. What I said applies to all operating systems in general. Windows is insecure because the average Windows user is an idiot when it comes to computers. OSX is insecure because the average OSX user is a pretentious idiot when it comes to computers. The only way to make a truly secure operating system is to assume the user is an idiot, and thus have the system automatically secure itself FROM the user, but there is very little utility in such a system.

Most forms of BSD are secure, because they do nothing. They're running SSHD, little else, and root access through SSH is disabled by default. They're not made insecure until the user starts adding accounts with crappy passwords, and installing things to actually make the system do something useful. Meanwhile, OSX comes useful out-of-the-box, with all those normal desktop applications already installed and running.

osx between 2010-2013 has fixed few of its remaining vulns. while windows with its historically poor modular design continues to surface bugs.. Things should be better post windows 8 onwards and MS has largely rewritten windows (refactored in software development terms) so it is more modular. Meaning fixes really fix thing instead of cropping up with issues elsewhere.

So at present OSX/Macs are still a better option compared to any windows. For extreme caution with maybe reduced UI friendliness consider a hardened FreeBSD distro.

osx between 2010-2013 has fixed few of its remaining vulns. while windows with its historically poor modular design continues to surface bugs.. Things should be better post windows 8 onwards and MS has largely rewritten windows (refactored in software development terms) so it is more modular. Meaning fixes really fix thing instead of cropping up with issues elsewhere.

So at present OSX/Macs are still a better option compared to any windows. For extreme caution with maybe reduced UI friendliness consider a hardened FreeBSD distro.

Why do people keep missing the most important point here? This is NOT some random virus people got. It was a targeted attack by a nation state, which has access to the resources needed for zero-day exploits and spear-phishing. If you are targeted by such an attack, just using normal security practices isn't going to cut it. People are fooling themselves thinking that "using a secure OS" and using anti-virus software is going to stop this kind of attack. It's like saying "Oh, the IRS can't get my money, I've got one of those wallets that has a chain that attaches to my pants."